Microsoft has admitted a security breach which allowed hackers to access the accounts and data of customers. The admission from Microsoft isn’t complete and the hackers say it’s worse than the company is saying.

Who is affected?

Some people with a free Microsoft accounts like Outlook.com, Msn.com Hotmail.com etc. Microsoft says that a ‘limited’ number were affected, and they’ve emailed all the customers who might have been hacked.

Not Office 365 hosted email, corporate accounts.

Not Outlook software for Windows/Mac/Apple/Android. Some of the media reports talk about ‘Outlook’ being hacked when it should read ‘Outlook.com’ (and other domains).

What happened?

Details of the breach aren’t known and there are conflicts between what Microsoft is saying and what the hackers say they did. Take all this with the proverbial ‘pinch of salt’.

The login of a Microsoft ‘support agent’ was gained by hackers who used the login for at least three months to access the accounts of customers.

Microsoft says that the hackers had access to email account details like e-mail address, other e-mail addresses messages are sent to, folder names and the subject lines of e-mails.

The company originally insisted that the content of customer e-mails and attachments were not compromised. The hackers have contacted Motherboard with evidence suggesting more customer content was available than Microsoft said. Microsoft has now admitted some customer email and attachment content was available to hackers..

According to Microsoft (as first reported by TechCrunch.) the breach occurred between January 1 and March 28 but the hackers claim they had a six month window of access.

Who to believe?

Neither side of this story are entirely trustworthy.

Anonymous statements from criminal hackers don’t have a lot of credibility. Assuming the informants are truly linked to the hackers, they are likely to boast about their achievements.

Microsoft can’t be relied on either. The company has a vested interest in downplaying any damage from the hack. Microsoft has used various PR tactics and obfuscation in the past and they haven’t been fully open with customers this time.

Redmond’s original assurances about the scale of the attack and data accessible turned out not to be true. Without independent verification, we only have Microsoft’s self-interested word.

The company says only that a ‘limited’ number of customers are affected. They used the term ‘limited’ before because it implies a small number are affected but, in truth, could mean any number below 100%.

Microsoft didn’t publicly admit to the breach until affected customers told the media (i.e. forwarded the breach notification email). Then the media asked Microsoft for details which were slowly forthcoming.

The emails to customers went out on a Friday afternoon/evening. That’s an old PR trick to bury bad news; send it out just before a weekend. West Wing fans remember ‘Take out the Trash Day‘.

When presented with more evidence of the hack, Microsoft backtracked on their original claims. They now admit that some customer’s email content and attachments were accessible – something the company originally denied.

Microsoft now claims that 6% of the hacked customers also had email and attachment contents vulnerable. But 6% of how many? Microsoft hasn’t given any hard numbers on the scale of the hack beyond their favorite obfuscation ‘limited’.

Unanswered Questions

The account compromise of someone with access to customer accounts is a severe concern. This time hacker had access to past emails (sent and received). Maybe next time they’ll get into OneDrive or SharePoint storage?

Either the hackers managed to bypass ‘two fac’ or Microsoft’s internal account security isn’t up to scratch. Microsoft has previously assured customers that cloud storage is secure from access by staff or associates but that’s clearly NOT been true.

Exactly how many customers were hacked? Microsoft would have more credibility if they were properly honest with customers instead of treating customers like ignorant fools.

What to do

If you received one of Microsoft’s notification emails:

Change your Microsoft account password right away.

Add Two Factor authentication to protect your account. Both our Office 2016/Office 365 and Windows 10 books have a chapter devoted to Two Factor Authentication. Step-by-Step setup and practical advice to make 2Fac easier for you.

If you’re an EU resident, consider making a complaint under the GDPR rules. Microsoft would appear to be in breach.

Steps 1 and 2 apply to ALL Microsoft account / Office 365 customers – not just those hacked this time.

Yes, Office-Watch.com harps on about Two-Factor Authentication but for a good reason. It’s the best way to protect your account from hackers. Even if they get your password, hackers can’t get into your account without the unique and time-limited second code.